Why is gateway transit required for VM NICs, but not PaaS services Private Endpoints?

[o-l-a-v]

Regarding VNet peering, Hub/Spoke:

• https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered

I found that you can reach a Key Vault Private Endpoint (with public endpoint disabled) in a spoke with VNet peering without gateway transit enabled. While reaching a VM on 22 or 3389 TCP did not work until gateway transit was enabled on the same peering.

Why is that? Can't see that mentioned in this documentation, thus asking.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 6860efb1-ddab-04a1-bf34-4e0a41844102
• Version Independent ID: 2321ec49-4cb8-d477-3430-44af3790bcdd
• Content: Azure VPN Gateway: About P2S routing - Azure VPN Gateway
• Content Source: articles/vpn-gateway/vpn-gateway-about-point-to-site-routing.md
• Service: vpn-gateway
• GitHub Login: @cherylmc
• Microsoft Alias: cherylmc

[KapilAnanth-MSFT]

@o-l-a-v

Can you please explain your infrastructure.

• For VMs as well as Private EndPoints between a Spoke VNet to Hub Vnet connected using Peering, you do not have to enable Gateway Transit to access from the Hub Vnet. The connectivity would work fine just with the Peering.
• Similarly, if you are going to access the VM/Private EndPoint from OnPremises, you will be required to enable Gateway Transit in both the cases.

[o-l-a-v]

Setup is a basic hub/spoke network.

• Both hub and spoke has VMs and a Key Vault with private endpoint only (public endpoint disabled).
• Peered without gateway transit at first, later enabled gateway transit to get traffic to VM to work.
• No Azure Firewall or other NVA/router/FW in hub yet. So spoke to spoke transit does not work. But should not be relevant.
• Hub has Virtual Network Gateway.
  • SKU: VpnGw1
  • P2S VPN
  • Azure AD SSO
  • Additional routes: Whole CIDR range we've dedicated to Azure, a whole /16.. And a /24 to the VNet of a spoke with a Key Vault that work without gateway transit.
  • VPN type: Route based.
  • VPN profile sends DNS requests to DNS Private Resolver located in Hub.

What works through P2S VPN without gateway transit enabled:

• SSH to Linux VM in Hub (on IP)
• RDP to Windows VM in Hub (on IP)
• TCP 443 to Key Vault with Private Endpoint only in Spoke (on FQDN)

What does not work through P2S VPN without gateway transit enabled:

• SSH to Linux VM in Spoke (on IP)
• RDP to Windows VM in Spoke (on IP)

[KapilAnanth-MSFT]

@o-l-a-v

You are using a custom configuration here. By custom, I mean that you are advertising a whole /16 in the Additional routes.

• Without this, connection to Private EndPoints of Spoke VNets would not be feasible.
• Hence, this is not documented anywhere.

Having stated that, why PE works but a VM doesn't with Additional routes requires a deeper investigation.

At this point, I would recommend you to please post your observation on Microsoft Q&A and other forums, we have our engineers and others who are monitoring them and will be happy to help or Create an Azure Support Incident where a support engineer can have a screen share session to pinpoint the behavior.

I shall close this issue now. In case you do not have a support plan, please do let us know, we will try and help you get a one-time free technical support.